Upload.php:
- should check access
- should check target location is in the files directory
- should use file_munge_filename
- should use a token to prevent CSRF
- should escape nid before display (XSS)
there may be additional problems,
The module:
Should use placeholders in ALL queries.
There may be additional problems.
Comments
Comment #0.0
gregglesUpdate with actual content
Comment #1
drumm